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information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Qi Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
X No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


From our perspective the guidance does not sufficiently cover the most 
relevant/pressing issue about the right of access, which is the management 
of/response to SARs stated in very broad terms which cover a very large volume 
of material. We consider that there is a need in particular for more guidance on 
applying the “manifestly unfounded or excessive” exemption. 


The major issue for us in managing SARs compliance is the “all my personal 
data” type SAR, especially (but not exclusively) when submitted by a current or 
former staff member. 


Background: As a university we are a large organization and accept the need to 
devote significant resource to SARs compliance. However universities are very 
data-rich/data-heavy environments, and also very complex data environments. 
The nature of the HE sector and the way in which universities are structured 
mean that staff members will be simultaneously involved in teaching and 
associated activities (e.g. marking and assessment), bringing them into contact 
with students, pastoral support for students, research activity (which is often 
carried out collaboratively with individuals in other universities and may involve 
contact with individual members of the public who are research participants) and 
the activities involved in running the organization (administration, planning, 
quality control, people management). This means that searches for an 
individual staff member’s personal data will locate information of many different 
types, being processed by different people for different purposes and, crucially, 
in a high proportion of instances linked to or surrounded by third party personal 
data. We think that the extent of third party data associated with data subject 
personal data would be significantly more than in most other settings. In 
addition, a substantial proportion of that personal data would be of a nature that 
can’t automatically be disclosed in response to a subject access request (e.g. 
student data, junior staff data, staff data relating to confidential matters, 
possibly research participant data). Email accounts in particular will contain 
large amounts of student and other staff data, and due to the way that 
universities are structured and operate in practice a very significant proportion 
of material is processed through and held in Outlook accounts. 


Problematic requests: Each year we process several requests from current or 
former staff members for “all my personal data held by the University”. 
Identifying where this data is held and why we are processing it is not in itself 
difficult, but the process of extracting it from systems, reviewing it and 
processing the disclosure is very resource-intensive. In general there will be 
1000s of items within email accounts which fall within the scope of this type of 
request, including attached documents of many different kinds as well as 
messages. For the reasons described above they include substantial third party 
personal data(staff, students and others). Often the subject access request is 
made in the context of grievance procedures and employment claims, and the 
underlying purpose is to find any comments or information which could be seen 
as supporting aspects of the grievance/claim, so the requesters are not 
amenable to requests to identify specific information or processing they are 
interested in. 


To give a flavour of the scope of these requests, to comply fully with the request 
would have required us to search and extract material from more than 400 staff 
Outlook accounts, in addition to providing material in HR files and files relating 
to the requester’s formal grievance. Even where such requests are limited to a 
specific time frame, the breadth of the scope and the nature of our data 
processing means that searches tend to retrieve several 1000s of Outlook items 
and documents which need to be reviewed so that the third party personal data 
within them can be considered and removed/redacted where appropriate. 


We would emphasise that the difficulty with these requests is not the volume of 
material as such, but the volume combined with the nature of the content, 
particularly around third party data. 


We have applied the “excessive” exemption to some of these requests on the 
basis that the following factors are relevant: 


e The fact that the requester, as a staff member/former staff member is 
already aware of the type of processing of their personal information 
which is evidenced in the emails. The core purpose of the subject access 
right is to ensure that data subjects are aware of the nature, extent and 
purpose of the processing of their personal data which is being carried out 
by a data controller. Staff members already have a good understanding 
of the types of information that would be routinely processed by email in 
relation to them in their role in the organization, and are of course aware 
of grievance/disciplinary processes in which they were involved and type 
of data processing undertaken for this; 


e The nature of the material requested, specifically emails (and their 
attachments) held within individual staff email accounts. This material 
will include: 


o significant amounts of emails of which the requester was an 
original sender or recipient, which means that they will already 
have seen the material in the email and any attachments; 


o significant amounts of personal data of individuals other than the 
requester; and 


o where the scope of the request included communications and 
documents relating to a formal grievance process and investigation, 
the third party personal data will include information provided in 
confidence which is of a sensitive nature. Information may also be 
of a sensitive nature where it relates e.g. to the performance or 
personal circumstances of students or to performance or personal 
circumstances of other staff which are _ referenced in 
emails/documents in the course of people management or 
administrative activity. 


The scope of the searches which have to be undertaken to identify 
material within the scope of this sort of request and prepare materials 
appropriate for disclosure. Initial searches for this type of request tend to 
identify high numbers of emails and/or attachments, and these then need 
to be reviewed to identify those which do contain the requester’s personal 
data and to remove third party personal data where required; 


Taking these factors into account, the response to this type/scope of 
request is likely to provide the requester with a very limited amount of 
new information about the scope of their personal data processed by the 
University and the types/purposes of that processing, which would be 
disproportionate to the work and resources involved in complying with the 
response. 


To illustrate the proportionality point, in the recent SAR referred to above, 
we processed the request in part and on the basis that we would not 
disclose material that had already been seen by the requester (as they 
were an original sender or recipient). The result was that the volume of 
material (i.e. number of pages) actually disclosed to the requester was 
estimated as being less than 20% of the total amount of material that 
was identified through initial searches and which then had to be 
reviewed. Even within that disclosure bundle (i.e. within the 20%) there 
was still a substantial amount of material which had previously been seen 
by the requester, but which was disclosed as it was part of a chain of 
emails, or aS an enclosure or attachment to materials, which had not 
previously been seen by the requester in its entirety. 


We would welcome guidance which engages with these issues and indicates 
whether/when the use of the “excessive” exemption on this basis would be 
supported and the expectation with regard to disclosure of material which has 
already been seen by the requester or which represents a type/purpose of 
processing already known to the requester. 


In addition, in cases such as the one described above, rather than refusing to 
comply with the request at all we have taken steps to provide a proportionate 
response, applying the requester’s views on which aspects of the 
request/categories of their personal data are a particular priority. It would be 
helpful to have guidance on whether this is appropriate. 


Q2 Does the draft guidance contain the right level of detail? 


Yes 
No 


Xl 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


The guidance provides helpful new guidance in certain areas. We welcome the more 
detailed treatment of third party personal data and detail in other areas, such as deleted 
items, information held on personal computers and devices etc. We also welcome the 
detail on what constitutes “complex” request. 


However other areas would benefit from more detail. In particular, as outlined above, 
we would welcome further detail on the application of the “excessive” exemption. In 
addition, the guidance on specific exemptions does not add much to the plain meaning of 
the words in the legislation. 


Q3 Does the draft guidance contain enough examples? 


Yes 
X No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Please see the example given above in relation to “excessive” requests. 


We would find it helpful to have more examples of how to deal with third party personal 
data. The additional detail in the guidance recognizing the difficulties in processing 
requests which include significant personal data is helpful. However it would be useful for 
the guidance to address the reality that many SARs are made where there is or has been 
an internal complaint/ grievance/disciplinary process, and to confirm where the ICO 
accepts that duties of confidentiality to other employees, students, third parties etc. may 
arise in those processes. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


See above. 


The guidance given at the moment on “excessive” could be clearer in itself. For example, 
we have experienced requesters arguing that it only applies where one of the first set of 
bullet points applies. We don’t believe this is the intended scope/effect of the guidance, 
but it would be very helpful if this could be clarified. The statement that volume of 
material is not necessarily enough to make a request excessive is unhelpful in the absence 
of more explanation of when/how/on what basis the volume of material might be relevant 
at least to some extent. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O 0 O 0 


Q6 Why have you given this score? 


As noted above, the guidance is very useful on some points, but does not tackle the 
central issue for us as an organization. We are committed to respecting data subject 
rights and accept that sometimes significant resource is required to comply with the 
subject access rights. However we consider proportionality and the overall purpose of 
subject access rights are important concepts to be considered in the context of 
“manifestly unfounded or excessive”. There are some areas where the guidance “adds 
value” and others where it doesn’t. 


Q7  Towhat extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
0 0O O O xX 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

L] On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Bournemouth University: this response is made on behalf of the University’s Legal 
Services team and Information Office, not the University as a whole. 


What sector are you from: 


Higher education 


Q10 How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


XHOOUOdOOOoO 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


OoOdd 


Thank you for taking the time to complete the survey. 


